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Abstract. Given a universal Horn formula of Kleene algebra with hypotheses of the 
form r = 0, it is already known that we can efficiently construct an equation which is 
valid if and only if the original Horn formula is valid. This is an example of elimination 
of hypotheses, which is useful because the equational theory of Kleene algebra is decidable 
while the universal Horn theory is not. We show that hypotheses of the form r = can 
still be eliminated in the presence of other hypotheses. This lets us extend any technique 
for eliminating hypotheses to include hypotheses of the form r = 0. 



1. Introduction 

Kleene algebra (KA) arises in many areas of computer science, such as automata theory, 
the design and analysis of algorithms, dynamic logic, and program semantics. Many of these 
applications are enhanced by using Kleene algebra with tests (KAT), which combines KA 
with Boolean algebra. 

We can use KAT to reason propositionally about programs (see EI for examples). 
The equivalence of an optimized and unoptimized program, the equivalence of an annotated 
and unannotated program, and partial correctness assertions can all be expressed as equa- 
tions. The equational theory of KAT is well understood and has many useful properties; in 
particular, it is decidable (in P SPACE) and the theory remains unchanged when we restrict 
to relational interpretations [^EJ- (Relational interpretations are of the greatest interest 
because the intended semantics are generally relational.) 

However, we frequently wish to reason about programs under certain assumptions about 
the interaction of atomic programs and tests. For example, if p is the program "x := 0" and 
b is the assertion "x = 0" , then we want to be able to make use of the facts pb = p { "after 
running p, test b always succeeds") and bp = b ("after test b succeeds, p is redundant") 
when reasoning about programs in which p and b appear; for instance, the equation p^ = p 
is not valid in KAT, but the formula {pb = p A bp = b) ^ p^ = p \s. Thus, the universal 
Horn theory is of interest. A universal Horn formula is an implication E ^ s = t, where 
E is a finite set of equations. The word "universal" refers to the fact that the atomic 
symbols of E, s, and t are implicitly universally quantified. The universal Horn theory of 
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a class of structures C, denoted WC, is the set of universal Horn formulas valid under all 
interpretations over structures in C. 

The increased generality of the universal Horn theory is accompanied by greater com- 
plexity, and the theory does not remain the same when we restrict to important classes of 
Kleene algebras such as *-continuous Kleene algebras with tests (KAT*) and relational 
Kleene algebras with tests (RKAT). T^KAT is S^-complete (undecidable), T^KAT* and 
T^RKAT are Hj-complete (highly undecidable), and we have proper inclusions T^KAT C 
HKAJ* C T^RKAT 

Although these Horn theories are very complex in general, there are fragments of them 
that are both practical and of lower complexity. Consider the following theorem, funda- 
mentally due to Cohen [2] and extended to the form below by Kozen and Smith |141 lllj . 
(The statement uses some notions that will not be defined until later, but we only need a 
vague understanding of it here.) 

Theorem 1.1. Let r,s,t G RExpp g, and let u G RExpp g be the universal regular expression. 



The primary consequence of this theorem is that the Horn theory of Kleene algebra, re- 
stricted to formulas with hypotheses of the form r = 0, is decidable, and remains unchanged 
if we restrict to *-continuous or relational algebras: to decide ifr = 0— >s = tis valid, we 
simply decide if s + uru = t + uru is valid. In this way, we say that we have eliminated the 
hypothesis r = 0. It is also possible to eliminate other forms of hypotheses j^lTj. 

The case r = has particular significance, because partial correctness assertions can be 
expressed in KAT with equations of the form r = (and multiple equations ri = OA - • • Ar^ = 
can be combined into ri + • • • + = 0). So Theorem 11.11 shows that the Horn theory 
of KAT, restricted to hypotheses of the form r = 0, subsumes propositional Hoare logic, is 
decidable, and is furthermore complete for relational interpretations jllj . 

Our main result. Theorem \'A.2\ (p. improves Theorem 11.11 so that r = can be 
eliminated in the presence of other hypotheses. This allows any other technique for elim- 
inating hypotheses to be extended to include r = 0. For example, if we have a technique 
for eliminating f = g alone, we can eliminate / = g A r = hj first eliminating r = 
using Theorem \^.2\ leaving hypothesis f = g, which can then be eliminated. In this way. 
Theorem 13.21 is like a module for eliminating r = that can be added on to any other 
technique for eliminating hypotheses. 

A related result, Corollarv I3.1fl( shows that hypotheses of the form cp = c (where c is 
Boolean and p is atomic) can be eliminated in the presence of other hypotheses, although the 
remaining hypotheses are modified. Hypotheses of the form cp = c are useful for eliminating 
redundant code (consider our example bp = b above; it expresses the fact that p is redundant 
when b already holds). (The procedure for eliminating cp = c was introduced in [7j, where 
it was shown how to eliminate cp = c and r = at the same time. Without the benefit of 
Theorem 13.21 this required a construction that simultaneously dealt with both cp = c and 



Then the following are equivalent. 



KAT ^r = 0^s = t 
KAT* ^ r = ^ s = t 
RKAT ^r = 0^s = t 



(1.1) 
(1.2) 
(1.3) 
(1.4) 



KAT 1= s + uru = t + uru 



r = 0.) 
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2. Preliminaries 

For a more complete introduction to Kleene algebra and Kleene algebra with tests, see 

m- 

2.1. Kleene Algebra. 

Definition 2.1. An idempotent semiring is a structure (5",+, -,0, 1) satisfying 



X + X 


= X (idempotence 


x + 


= X 


X + y 


= y + x 


X + {y + z) 


= {x + y) + z 


• X 


= X • = 


1-x 


= X ■ 1 = X 


x-{y ■ z) 


= (x-y) ■ z 


x-{y + z) 


= X ■ y + X ■ z 


{y + z)-x 


= y ■ X + z ■ X . 



(In other words, {S, +, 0) is an upper semilattice with bottom element 0, {S, •, 1) is a monoid, 
is an annihilator for •, and • distributes over + on the right and left.) 

We often write xy for x ■ y. The upper semilattice structure induces a natural partial 
order on any idempotent semiring: x<y4^x + y = y. 

Definition 2.2. A Kleene algebra is a structure {K,+, ■* ,0,1) such that (i^, +,-,0, 1) 
forms an idempotent semiring, and which satisfies 

l + xx*<x* (2.1) 

l + x*x<x* (2.2) 

p + qx < x ^ q*p < X (2-3) 

p + xg < X — > pq* < X . (2-4) 

(The order of precedence among the operators is *>•>+, so that p + qr* = p + {q - {r*)).) 
We let KA denote the category of all Kleene algebras and their homomorphisms. Equations 
H2.1|) - H2.4|) are called the Kleene algebra *-axioms. 

Given a set S of constant symbols, let RExp^ be the set of Kleene algebra terms over S. 
We call the elements of RExpj^ regular expressions, and the elements of S atomic program 
symbols. An interpretation is a homomorphism / : RExpj^ — > K, where is a Kleene 
algebra. / is determined uniquely by its values on S. 

Equations (|2.1|) and (|2.3|) say that q*p is the least solution p + qx < x, while (|2.2j) 
and (|2.4|) say that pq* is the least solution to p + xq < x. 

A straightforward and vital consequence of the KA axioms^ is that the operations +, 
•, and * are monotone: if xq < xi and yo < yi, then xq + yo < xi + yi, xoyo ^ xiyi, and 

Xq ^ X ^ . 

-'^The names of the categories we consider serve as convenient abbreviations for the type of algebra they 
contain. So, for example, "the KA axioms" means "the axioms of Kleene algebra". 
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We use 1= to denote ordinary Tarskian satisfaction. However, since we have constant 
symbols from S not in the signatures of the underlying algebras, we will pair each algebra 

with an interpretation when speaking about satisfaction. For example, given a Kleene 
algebra K, interpretation / : RExp^^ K, and formula (p whose atomic program symbols 
are among S, we will write K, I \= (f to indicate that K satisfies (f when the symbols in 
S arc evaluated according to /. K \= if means that K,I \= ip for every interpretation 
/ : RExpj] K. Wc also use ^ in two other standard ways: for a class C of algebras, 
C 1= means that K \= (p for each K ^ C] for a set •!> of formulas, ^ \= p means that 
K \= (p iov each algebra K satisfying every formula in 

We now introduce two particularly important types of Kleene algebras: language alge- 
bras and relational algebras. 

Definition 2.3. For an arbitrary monoid M, its powerset 2^ forms a Kleene algebra as 
follows. 

= 

1 = {1^} (where 1^ is the identity of M) 
A + B = A\JB 

A - B = {xy \ X e A, y e B} 

A* = [Ja'' 

km 

We let REG M denote the smallest subalgebra of 2^ containing the singletons {x}, x € M. 
(The elements of REG M are the regular subsets of M.) 2^^ and its subalgebras are known 
as language algebras. 

Of particular interest is the case M = S*, the monoid of all strings over alphabet S 
under concatenation. The empty string e is the identity of this monoid. We define the 
canonical interpretation R : RExpj^ — > REG S* by letting R{p) = {p} (and extending R 
homomorphically to the rest of RExp^). Note that we can interpret elements of S* as 
elements of RExp^ in the obvious fashion. 

Definition 2.4. For an arbitrary set X, the set 2^^^ of all binary relations on X forms a 
Kleene algebra as follows. 

= 

1 = Lx = {{x,x) I X € X} 
S + T = SUT 

S-T = SoT (the composition of S with T) 

S* = 5"*^ (the reflexive transitive closure of S) 

ken 

A Kleene algebra K is relational if it is a subalgebra of 2^^^ for some X; X is called 
the base of K. We let RKA denote the category of all relational Kleene algebras and their 
homomorphisms . 

The definitions of * in 2*^ and 2^^^ exemplify the most common intuition about 
the meaning of *, which is that y* = sup^gj^y", or informally, y* = 1 + y + + • • • . 
(More generally, if we require that multiplication distributes over this supremum, we have 
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xy*z = xlz + xyz + xy'^z + • • • = sup^gf^ xy'"'z.) However, this property of * does not follow 
from the KA *-axioms, and must be postulated separately. 

Definition 2.5. A Kleene algebra K is *-continuous if it satisfies 

xy*z = sup xy'^z 
km 

for all x,y,z E K. We let KA* denote the category of all *-continuous Kleene algebras and 
their homomorphisms. 

Since relational composition distributes over arbitrary union, it is immediate from the 
definition of * in 2^^^ that relational Kleene algebras are *-continuous, so RKA C KA*. 
The following ubiquitous lemma is a useful generalization of *-continuity. 

Lemma 2.6. Suppose K G KA*, / : RExpj^ K is an interpretation, and t G RExp^- 

Then 

I{t) = sup /(cr) . 

(7eR(t) 

Proof. By induction on structure of t. For details, see O Lemma 7.1, pp. 246-248]. □ 

2.2. Kleene Algebra witli Tests. We can combine Kleene algebra with Boolean algebra 
to get Kleene algebra with tests. The Boolean aspect is useful for capturing Boolean aspects 
of programming semantics, particularly control flow and assertions. 

Definition 2.7. A Kleene algebra with tests is a two-sorted structure {K, B, +, •,* , , 0, 1), 
where {K, + ,- ,*, 0, 1) is a Kleene algebra, and (B, + , •, , 0, 1) is a Boolean subalgebra. The 
elements of B are called tests. We let KAT denote the category of all Kleene algebras with 
tests and their homomorphisms; we let KAT* denote the subcategory of all *-continuous 
Kleene algebras with tests. 

We now have two types of atomic symbols: programs and tests. For a finite set P of 
atomic program symbols and a finite set B of atomic test symbols, RExpp g is the set of KAT 
terms over P and B; negation can only be applied to Boolean terms, which are terms built 
from 0,1,+,-, , and atomic test symbols. An interpretation / : RExpp q ^ K must map each 
atomic test to a test in K (and it follows by induction that it will map all Boolean terms 
to tests). 

2XxX fQj-y^g ^ Kleene algebra with tests by keeping the previously defined Kleene alge- 
bra structure, and letting B = {r dl^^^ \ r<\\^b = ix — b. A Kleene algebra with tests 
K is relational if it is a subalgebra of 2-^'^^ for some X. We let RKAT denote the category 
of all relational Kleene algebras with tests and their homomorphisms. 

Every Kleene algebra induces a Kleene algebra with tests by letting B = {0, 1}, the 
two-element Boolean algebra; conversely, every Kleene algebra with tests induces a Kleene 
algebra by taking its reduct to the signature of Kleene algebra (i.e., taking its image under 
the map {K^ B, +, •,* , , 0, 1) i-^ {K, +, •,* , 0, 1)). With this in mind, it is easy to see that 
for any formula if in the language of Kleene algebra, KAT \= ip ^ KA \= if, KAT* |= 99 
KA* ^ ^p, and RKAT ^ if ^ RKA ^ 99. 

There is an analog of REG S* for KAT called the guarded-string model, with its own 
analog of the canonical interpretation R. Though the guarded-string model is in general 
very important for studying KAT, we will not need it for our results here, and refer the 
reader to Jl] for further information on guarded strings. 

The following elementary lemma about subalgebras will be needed in Lemma 13.31 
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Lemma 2.8. Let K £ KA and let x & K. Then {y K \ y < x} is a subalgebra of K iff 
X = y* for some y & K (or equivalently, x = x*). The same also holds for KATs. (Note 
that this is not claiming that all subalgebras of K have this form.) 

The proof is straightforward and may safely be skipped. 

Proof. Let = {y G K I y < x}. 

Suppose K' is a subalgebra of K. Then x* € K\ so x* < x., so x = x* . 

Suppose X = y* for some y (z K. Then x* = y** = y* = x. The necessary closure 
conditions follow from monotonicity and the fact that + 1 + xx + (x + x) + x* < x*. (For 
example, for any yi,y2 G K', we have yiy2 < xx < x*.) □ 

2.3. Universal Horn Formulas. 

Definition 2.9. A universal Horn formula is a formula of the form 

si = ti A • • • A St = tfc — > s = t , 

where Sj, ti, s, t are terms. The set of universal Horn formulas valid over a class C of algebras 
is the universal Horn theory of C, which we denote by TiC. 

We will often drop the word "universal". Note that in KA and KAT, because any 
inequality x < y is actually an equation x + y = y, inequalities are allowed in Horn formulas. 
We will allow finite sets of equations to appear in the hypotheses of a Horn formula, by 
taking their conjunction; e.g., if = {pq = qp, p < 1}, then E ^ s = t means {pq = 
qp Ap < 1) — > s = t. 

Lemma 2.10. Let T be any class of *-continuous Kleene algebras with interpretations. 
(That is, r consists of pairs (K, I) where K E KA* and I : RExp^^ K is an interpretation.) 
Then for any Horn formula of the form E ^ s < t, 

r^E^s<t^{yae R{s)) r^E^a<t . 

Proof. For any K € KA* with interpretation / : RExp^ — > K, the equivalence 

K,I^E^s<t^{ya£ R{s)) K,I ^ E <t 

is a straightforward consequence of Lemma 12.61 The lemma then follows by exchanging 
the universal quantifiers (Vo" G R{s)) and (y{K,I) G F). (This latter quantifier comes from 
T^E^s<t^{y{K,I)£r) K,I^E^s<t.) □ 

2.4. A Proof System for T^RKA. Later, in the proof of Lemma 13.51 we will use a proof- 
theoretic argument based on the infinitary proof system for T^RKA introduced in 6,. We 
will only present the material that we will need in Section 13.11 for the proof of Lemma 13.51 
for a more thorough treatment, please see 0. 

2.4.1. Finite Automata and Trees. Our proof system for T^RKA is based on trees of finite 
automata, and we must define a number of notions related to trees and automata before 
continuing. 

Assume we have a fixed finite alphabet S. We let NFA denote the set of all nondeter- 
ministic finite automata over S, allowing e- moves (also called e-edges). 

We will also use NFA as shorthand for nondeterministic finite automaton. For any NFA 
A, L{A) denotes the language of A, and \A\ denotes the states of A. For states v,w € \A\, 
let A^''^ denote the NFA which is identical to A except that it has v and w as its unique 
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start and accept states, respectively. We fix distinct states a and b, and let NFA"' be the 
set of all A € NFA which have unique start state a and unique accept state b. 
We define Fq G NFA"''' to have states {a, b} and no edges. 

Given an NFA A and states v,w (z \A\, we will sometimes want to "insert" a string 
r G S* into L{A'"'^). For this purpose, we define A' = \nsert2{A, v,w,t) as follows. 

(1) If r = pi • • -pfci with G S and A; > 0, we obtain A' from A by adding k — 1 new 
states xi, . . . , Xk^i and adding edges 

Pl P2 Pk-l Pk 

t> — > Xl ^ • • • Xk-l — w . 

(2) If T = e, then we add an e-edge from v to w and also from w to v. (Where it is 
used, \nsert2{A,v,w,e) corresponds to identifying v and w with each other. The 
edge from w to v, called a reverse e-edge, is needed to capture the symmetry of the 
identity relation.) 

We now move on to trees. N* is the set of all finite strings of naturals (including the 
empty string). A set T C N* is a tree if it is closed under taking initial segments. A 
function / : N — > N can be treated as an infinite sequence of naturals, and for n G N, we let 
/ \ n denote the initial segment of / of length n. Such an / is a path through a tree T if 
(/ I" n) G r for all n G N. (We find this a concise framework for countably-branching trees, 
but it is not strictly necessary to define trees in this manner.) 

2.4.2. Relational Proofs. The following definition of relational proof captures, with trees of 
finite automata, the combinatorics of attempting to construct a relational counterexample 
to a Horn formula. A path through such a tree yields a relational model in which the 
formula fails, while well-foundedness establishes the impossibility of a counterexample (i.e., 
the relational validity of the formula) . 

Definition 2.11. Let E ^ a < t he a Horn formula in the language of KA with o" G S* and 
t G RExpj]. We assume that all hypotheses in E are inequalities x < y, hy breaking any 
equations x = y into x<yAy<xas necessary. We fix distinct states a and b as above. 
We fix a special symbol CON, which will signify contradiction. 

A relational tree for E ^ a < t is a pair (T, A) where T C N* is a tree and A : T ^ 
NFA"''' U {CON} such that the following conditions hold. {Af wih denote A{f).) 

(1) At the root, we have Aq = insert2(Fo, a, 6, cr). 

(2) / G T is a leaf node if and only if ^/ = CON or R{t) n L{Af) ^ 0. 

(3) If / is not a leaf node, then there exist v,w € \Af\ (possibly equal), an inequality 
r < r' in E, and p G L{A"j:'^) Pl R{r) such that 

(a) if i?(r') = (typically because r' = 0), then / has one child g, with Ag = CON; 

(b) if R{r') ^ 0, then / has one child gr for each r G R{r'), with Ag^ = 
insert2(Aj, f , w, r). 

(We say that the hypothesis r < r' is applied at /.) 
A relational proof of E ^ a < t is a well-founded relational tree for E ^ a < t. We say 
E ^ a < t is relationally provable if such a proof exists. 

Lemma 2.12. For any Horn formula of the form E ^ a < t, the following are equivalent. 

(i) RKA ^E^a<t 

(ii) E ^ a <t is relationally provable. 

Proof. See 5^ or [0]. □ 
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The notion of relational provability can be extended to arbitrary Horn formulas, but 
we will not need it for the proof of Lemma 13.51 

2.5. The Relationship Between TiRKA and TiRKAT. The system presented in Sec- 
tion [73] is a tool for studying 7YRKA, while in Lemma 13.51 we will wish to use it to draw 
conclusions about T^RKAT. This must be rectified, and there are multiple ways to proceed. 
One would be to modify the notion of relational proof so that it applies to T^RKAT; this 
would present no particular difficulty, but would require a closer look at relational proofs 
than we would like to get into here. Instead, we will show how to reduce questions about 
T^RKAT to T^RKA, in a way that will allow us to use the existing definition of relational 
proof when proving Lemma 13.51 

Lemma 2.13. For any Horn formula f of KAT, there is a Horn formula Tr((/3) of KA such 
that RKAT ^ if iff RKA ^ Tr((^). 

The lemma is uninteresting without putting restrictions on the translation Tr. However, 
instead of trying to capture the desired properties of Tr for inclusion in the lemma, we just 
give the proof, and observe later that the translation works for a particular purpose when 
the need arises. 

Proof. (Outline: we first assume that negation is only applied to atomic tests, then replace 
the negations of atomic tests with fresh program symbols, and finally add new hypotheses 
to ensure that the new program symbols behave like the negated tests they replace.) 

Fix a set P of atomic program symbols, and a set B of atomic tests. Given any s G 
RExpp g, we can assume without loss of generality that negation is only applied to atomic 
tests, in light of DeMorgan's Laws. 

For each 6 G B, we introduce two new atomic program symbols b and b, and we let 
S = P \J{b,b I b £ B}. For any t S RExpp g, we let i be the result of taking t, and replacing 

all occurrences of b with b, and all positive occurrences of b with b (for each 6 € B). Note 
that t € RExpj^. For any formula 93, we let ip be the result of replacing each term t in if 
with t. 

Now take any Horn formula if of the form 9^ip (with all terms in RExpp g). Let Tr((/9) 
be the formula 

leA/\(b + t=lAb-b = 0)]^il) . 
V beB J 

(The extra hypotheses make b and b behave like Boolean complements of each other.) 
We now show RKAT \= if iS RKA ^ Jr{ip). 

For the right-to- left implication, suppose RKAT ^ cp. Let K G RKAT with interpreta- 
tion / : RExpp g — > such that K,I ^ Then K,I ^ ^ A ^ip. Define the interpretation 

/ : RExps ^ by 

r i{p), ifpe P, 

i{p) = } i{bj, iip = ~b, 

( lib), iip = b. 
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A simple induction shows that for any t G RExppg, = I{t). It follows that 

K,i \= e A^'tp, since K,I \= 9 A^iIj. Also, 

K,i ^ f\{b + t=lAb-i = 0) . 

beB 

Thus K,i ^ Tr((/?), so RKA ^ Tr((/?) (recall that we can treat K as a member of RKA 
by passing it through the forgetful functor which drops negation). Therefore, RKA |= 
Tr{ip) RKAT \= ip. 

For the left-to-right implication, suppose that RKA ^ Tr(y3). Let K G RKA with 
interpretation / : RExp^ K such that K,I ^ '^"'{f)- Let X be the base of K. Then 

K C 2^^^, so 2^^^,/ ^ Jr(^); that is, 

^xxx^ / ^^a/\(6 + I=1A6-I = 0)A-V' ■ 

feGB 

In particular, for any 6 G B, 1(5) (J 7(6) = /(I), and 1(b) o /(^) = 0; it follows that 

I{b)f]I{l) = (since i? fj ^ = ^ o ^ whenever R,S C /(I)), so = - I{b). 
Define the interpretation I' : RExpp g — > 2^^^ by 

I'ip) = Hp) , 

i'{b) = m . 

We have 

i'{b) = i'{X)-i'{b) 

= m-m 
= m ■ 

It follows that, for any t G RExpp g, I'{t) = So, 2^x^,7' ^ 6' A ^V, since 2^''^,I \= 

9 A -.V^, giving us RKAT ^ ip. Therefore, RKAT \= ^ RKA |= Tr((^), completing the 
proof. □ 

3. Main Results 

3.1. Eliminating r = 0. 

Definition 3.1. For a fixed set P = {pi, . . . ,pn} of atomic program symbols, the universal 
regular expression u is defined by 

n = (pi H Vpnf ■ 

We trivially have KAT \= u = uu = u* , and a straightforward induction shows that, for 
any s G RExpp g, KAT \= s <u. 

Our goal is the following theorem. 

Theorem 3.2. Let u be the universal regular expression, let E be any finite set of hypothe- 
ses, and let r,s,t E RExpp g. Then the following equivalences hold. 

KAT \= E Ar = 0^s = t <^ KAT \= E ^ s + uru = t + uru (3.1) 

KAT* \= E Ar = 0^s = t ^ KAT* \= E ^ s + uru = t + uru (3.2) 

RKAT \= E Ar = 0^s = t <^ RKAT \= E ^ s + uru = t + uru (3.3) 
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Note that the special case E = is essentiahy Theorem 11.11 (when E = 0, the right 
hand sides of ()3.1() - ()3.3() are equivalent, since the equational theories of KAT, KAT*, and 
RKAT coincide; when E ^ 0, the right hand sides of H3.1() ~ H3.3|) are no longer necessarily 
equivalent, which prevents Theorem 13 . 21 from having the same form as Theorem II .Ij) . Note 
also that for any formula in the language of KA, we have KA ^ iff KAT \= 93, KA* \= if 
iff KAT* \= if, etc., so Theorem 13.21 also applies to KA, KA*, and RKA. (Alternatively, 
omitting the Boolean aspects of the proof that follows would yield a proof of the analogous 
theorem for KA, KA*, and RKA.) 

We prove each equivalence as a separate lemma. Fix u, E, r, s, t, as above. 

Lemma 3.3. 



Proof. The right-to- left implication is trivial: reasoning under E A r = 0, we have s = 
s + = s + uru = t + uru = t + = t. (Note that this argument also applies to KAT* and 



For the left-to-right implication, suppose KAT \=EAr = 0^s = t. Take any K € KAT 
with interpretation / such that K,I \= E. Let _L = I{uru), T = I{u), noting that T* = T, 
± = T_L = _LT, and _L_L < _L. Let K' = {x e K \ x < T}. This is a subalgebra of K by 
Lemma l2.8| since T = T*. / is an interpretation into K' . 

Define the map f : K' ^ K' hy f{x) = x + X. Let L = f[K'], the image of K' under /. 
T and _L are respectively the greatest and least elements of L. Note that for any x € i^', 
xT < T, so x_L = xT_L < T_L = _L. We similarly have _Lx < _L. 



Let L be the structure (L, f[B], +, *, ~, 0^, 1^), in the signature of KAT, where B is 
the set of tests of K', and the Boolean complement ~ is defined by /(c) = /(c). We must 
show that ~ is well-defined. Suppose /(c) = f{d). Then 



/(c) = c + L 

< (c + L)(l + L) 

= (c + L)((i + d + L) 

= (c + _L)(c + d + _L) (since c + _L = /(c) = /((i) = (i+_L) 

= CC + cd + c_L + _Lc + Id + _L_L 

< + d+_L 



Similarly, f{d) < f{c), so /(c) = /(d). Therefore, ~ is well-defined. 

We claim that / : i^' — > L is a homomorpishm. (Note that this is different from 
claiming that f : K' ^ K' is a homomorphism, which is not true unless _L = 0.) For any 




RKAT.) 



Define 




fid) 
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x,y G K, and c a test in K, 

/(O) = 0^ 

/(I) = 1^ 

fix + y) = x + y + ± = x + ± + y + ± = f{x) + f{y) 

f{xy) = xy + ± 

= xy + -Ly + xl. + _L_L + ± (since _Ly + x_L + _L_L < _L) 

= (x + ±)(y + ±) + ± 

= m-'^fiy) 

fic) = f{c) . 

It remains to verify f{x*) = (/(x))*. We have 

1 + {x + ±){x* + ±) = 1 + XX* + x± + _Lx* + _L_L < X* + _L , 

so the *-axioms give us (x + _L)* < x* + _L. We have x* < (x + _L)* and _L < (x + _L)* 
trivially, so x* + ± < (x + _L)*. Therefore, f{x*) = x* + _L = (x + _L)* = (/(x))*. So 
f : K' ^ L is a homomorphism. 

We now claim that L € KAT. Since f : K' ^ L is a homomorphism and K' G KAT, L 
automatically satisfies the equational KAT axioms. We must now verify that L satisfies the 
two remaining axioms, p + q-^x<x^q*-^p<x and p + x q < x —>■ p q* < x. 

Suppose that p + q x < x. We must show q* p < x. We have p + qx + 1. = 
p + q X < X. From p + gx < x we conclude q*p < x; combining this with _L < x, we have 
q* p = q*p + _L < X, as desired. Similarly, p + x q < x —)■ p q* < x. So L G KAT. 

Define the interpretation J : RExpp g — > L by J{q) = f{I{q)). Since K',I \= E, it 
immediately follows that L,J\=E. Also, J(r) < J{uru) = f{I{uru)) = /(-L) = _L + ± = 
0^, so L, J 1= r = 0. Therefore, the assumption KAT \=EAr = 0^s = t gives us 
L, J \= s = t. Therefore, 

I{s + uru) = I{s) + I{uru) = I{s) + _L = /(/(s)) = J(s) = J{t) = I{t + uru) . 

Thus, K,I \= s + uru = t + uru. □ 

Lemma 3.4. 

KAT* ^ E Ar = 0^ s = t <^ KAT* ^ E + uru = t + uru 

Proof. The right-to- left implication is as in Lemma 13.31 

For the left-to-right implication, it suffices to verify that the construction in the proof 
of Lemma 13.31 preserves ^-continuity. Letting q^""^ denote the n^^ power of q under (with 
q(o) _ "i^L-j^ have 

supp g^"^ r = sup(pg"r -|- _L) 

n n 

— pq*j. ^ _|_ 
= p-^ q* r . 

(For the second equality above, one can observe that pq^r + _L < pq*r + 1. for all n, and 
that if X is any upper bound for pq"'r + _L, then pq*r = sup„pg"r < x and ± < x, so 
pq*r + ± < X. So supn{pq"'r + ±) = pq*r + _L.) □ 
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Lemma 3.5. 

RKAT \=EAr = 0^s = t <^ RKAT ^ E + uru = t + uru 

Proof. The right-to- left imphcation is as in Lemma 13.31 

For the left-to-right implication, using the above construction would require verifying 
that L has a relational representation, which is not clear. Instead, we use a proof-theoretic 
argument. Suppose RKAT ^£'Ar = 0— >(T<t, where a G R{s). r = is equivalent to 
r < 0, and KAT \=t<t + uru, so RKAT \= E Ar a <t + uru. 

For the moment, suppose that the formulas are in the language of KA, so that we can 
speak about relational proofs without worrying about tests. Let (T, A) be a relational proof 
oiEf\r<{)^a<t + uru. 

We claim that the hypothesis r < is never even applied in the proof! Suppose r < 
is applied at node / G T (so / has one child g with Ag = CON). For r < to be applied 
at /, there must be states v,w ^ \-^f \ ^i^d p € R{r) with p € L{A^j^). A property that is 
preserved in the automata of relational trees is that every state is accessible from the start 
state a, and the accept state b is accessible from every state. So there exist vr E L{Ay^) 

and vr' G L{A^'^). Thus, we have Trp-ir' E L{Af ); we also have vrpvr' E R{uru) C R{t + uru). 
Therefore, R{t + uru) riL{Af) ^ 0, so / is in fact a leaf node, contradicting the assumption 
that we are applying r < at /. (In other words, at any point in a relational tree for 
EAr<0^a<t + uru where we could apply r < 0, we would already have to be at a 
leaf.) 

So, because r < is never applied, (T, A) is also a relational proof of E ^ a < t + uru. 
Therefore, RKA ^ E^a < t+uru for all a E R{s). By Lemma lTTIIl RKA ^ E^s < t+uru, 
so RKA \= E ^ s + uru < t + uru. RKA \= E ^ t + uru < s + uru is similar, and we now 
have RKA \= E ^ s + uru = t + uru. 

In case the formulas are not in the language of KA, we can use the translation from 
Section 12.51 as follows. We use the above argument to get 

RKA \= Jr{E Ar = 0^s = t)^ RKA \= Jr{E + uru = t + uru) . 

(The extra hypotheses introduced by the translation may be treated the same as the hy- 
potheses in E. A subtle point here is that the translation introduces new program symbols, 
without adding them to the universal regular expression; however, the hypotheses added by 
the tranlation force the interpretations of these extra symbols to be below 1, so they could 
be added to the universal regular expression without affecting the validity of any formulas 
involved.) We then have 

RKAT ^EAr = 0^s = t^ RKA \= Jr{E Ar = 0-^s = t) 

=^ RKA \= Tr{E ^ s + uru = t + uru) 

=^ RKAT \= E ^ s + uru = t + uru . □ 

Proof of Theorem VJ.IA Immediate from Lemmas I3.3H3.5I □ 

3.2. Idempotent Syntactic Homomorphisms. We can also eliminate hypotheses of the 
form cp = c (c Boolean, p atomic) in the presence of other hypotheses, but not as cleanly 
as we eliminated r = 0: in this case, the remaining hypotheses will be modified. 

The basic idea behind the technique was introduced in 7^ , which showed how to simul- 
taneously eliminate hypotheses of the form cp = c and r = 0. Ernie Cohen later observed 
that the portion of the proof specific to cp = c was unnecessarily complicated j3j. What 
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we present here is a simphfied argument, that is also more general because it works in the 
presence of other hypotheses. Furthermore, in light of Theorem 13.21 we no longer need to 
worry about integrating the elimination of r = into the argument, since that can be done 
separately. 

Definition 3.6. H : RExpp g — > RExpp g is a syntactic homomorphism if for any interpre- 
tation / : RExpp Q ^ K (where K G KAT), I o H : RExpp g — > il' is also an interpretation. 

For any syntactic homomorphism H : RExpp g RExpp g, let Eh be the set of hy- 
potheses 

{p = H{p) I p e P} U {6 = H{b) I 6 G B} . 

Definition 13.61 is equivalent to saying that H is a homomorphism up to KAT-provable 
equality. A consequence is that H is uniquely determined (up to KAT-provable equality) by 
its action on P and B; the set of equations Eh then, in a certain sense, captures the action 
of H. 

(For readers familiar with guarded strings. Definition 13.61 is equivalent to saying that 
G o is an interpretation, where G is the guarded-string interpretation. More abstractly, 
the definition is equivalent to saying that if is a lift of an endomorphism on the guarded- 
string model — that is, there is an endomorphism h on the guarded-string model such that 
GoH = hoG.) 

Lemma 3.7. // H : RExpp g — > RExpp g is a syntactic homomorphism, then for any r G 
RExpp g, 

KAT \= Eh ^r = H{r) . 
Proof. Straightforward induction on the structure of r. □ 
Definition 3.8. H : RExpp g — > RExpp g is idempotent if for all r G RExpp g, 

KAT ^ H{r) = H{H{r)) . 

Theorem 3.9. Suppose H : RExpp g RExpp g is an idempotent syntactic homomorphism, 
and that E is a set of hypotheses. Let H{E) denote the set of hypotheses 

{H{r) = H{r') \ r = r' is in E} . 

Then for any s,t £ RExpp g and K G KAT, 

K^EhEH^s = t ^ H{E) H{s) = H{t) . 

Proof. For the right-to-left implication, suppose K \= H{E) — > H{s) = H{t) and that we 
have an intepretation / : RExpp g — > K with K,I j= E A Eh- Then by Lemma 13.71 
K,I ^ H{E) As = H{s) A t = H{t). It follows by assumption that K,I ^ H{s) = H{t). 
We now have / ^ s = H{s) = H{t) = t. Therefore, K E AEh ^ s = t. 

For the left-to-right implication, suppose K \= E A Eh s = t, and that we have an 
intepretation I : RExpp g K with K,I ^ H{E). Define /' : RExpp g Khy I' = I oH. 
I' is an interpretation by Definition 13.61 For any p G P, idempotence of H gives us I'{p) = 
I{H{p)) = I{H{H{p))) = I'{H{p))- similarly, I'{b) = r{H{h)) for 6 G B, so KJ' [= Eh. 
For any equation r = r' \n E, K,I \= H{E) gives us I'{r) = I{H{r)) = I{H{r')) = I'{r'), 
so K, I' \= E. Therefore, by the assumption K \= E A Eh ^ s = t, we have K,I' \= s = t, 
and hence I{H{s)) = /'(s) = /'(t) = I{H{t)). Therefore K,I ^ H{s) = H{t), as desired. □ 
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Corollary 3.10. Suppose F is a set of hypotheses apt = Ci, 1 < i < k, where S P 
are distinct, and each Ci is a Boolean term. Define H : RExpp g — > RExpp g by H{r) = 
^[Pi/ciPi + Ci], the result of substituting clpi + q for pi in r (for each i ). Then for any set 
E of hypotheses, s,t (z RExpp g, and K E KAT, we have 

K ^ E AF ^ s = t K ^ H[E) H{s) = H{t) . 

Proof. It is easy to verify that H is an idempotent syntactic homomorphism. 

Next, observe that KAT |= CiPi = Ci <^ pi = clpi + Cj. Every equation in Eh is either 
of the form pi = CiPi + q, or is a tautology such as b = b, so F is equivalent to Eh- The 
corollary now follows immediately from Theorem 13.91 □ 

The restriction that the pi be distinct in Corollarv I3.1UI is not a significant imposition, 
since we can combine CiPi = Ci and CjPj = Cj, for pi = pj, into {ci+Cj)pi = Ci+cj. (Supposing 
cp = c and dp = d, we have (c + d)p = cp + dp = c + d. Supposing (c + d)p = c + d, we have 
c < c + d, so c{c + d) = c, giving us cp = c{c + d)p = c{c + d) = c; dp = d follows similarly.) 

4. Conclusion and Further Questions 

Statements about the semantics of a program can often be expressed as Horn formulas 
in Kleene algebra with tests, and that is our primary motivation for studying the Horn 
theory of Kleene algebra with tests here. Hypotheses of the form r = are of particular 
interest, because they can capture partial correctness assertions, which are vital to studying 
the semantics of imperative programs. 

While the validity of Horn formulas in Kleene algebra is not in general decidable, the 
validity of equations is. We have shown how to eliminate hypotheses of the form r = 0, 
even in the presence of other hypotheses; this allows us to extend any other technique for 
eliminating hypotheses to include hypotheses of the form r = 0. We have also shown how 
to eliminate hypotheses of the form cp = c in the presence of other hypotheses (though 
not as cleanly: the remaining hypotheses might be modified). This allows us to decide the 
validity of Horn formulas that have hypotheses of these forms. 

The following are a few questions for further work. What other forms of hypotheses 
can be eliminated? Can they be eliminated in the presence of other hypotheses? Are there 
useful decision procedures for the validity of certain classes of Horn formulas that are not 
based on eliminating hypotheses? 
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